Adding an AWS endpoint to vRealize Automation 7

Although it’s fairly limited, you can add AWS as an endpoint for vRealize Automation 7 and consume EC2 AMIs as part of a blueprint. You can even add the deployed instances to an existing Elastic Load Balancer at deploy time. In this post I’ll run through the basics to get up and running and deploy your first highly available (multiple Availability Zone, load balanced) blueprint.

Preparing AWS for use as a vRA endpoint

There are some obvious pre-requisites for attaching an AWS endpoint – for example, you need to have a VPC configured. There are plenty of resources out there for creating a VPC, so I won’t extend this post by replicating them. This is what I’m using:

A VPC with a network CIDR of 10.0.0.0/16

Subnet “Pub-10.0.1.0/24” in “eu-west-1a”

Subnet “Pub-10.0.0.0/24” in “eu-west-1b”

EC2

Elastic Load Balancer enabled and pointing to both subnets on port 80

AWS endpoints are not configured using a user name and password, instead you need to create a user within AWS’s Identity & Access Management console. You can find it on your AWS console under Security and Identity:

Create a group and assign policy

AWS best practice is to assign permissions at a group level, rather than at the user level, so lets create a group for vRA. Select the Groups page and then “Create new Group”. I’ve called my group “DefinIT-Lab”, then click Next Step.

If you look at the AWS User Roles and Credentials Required in the vRA7 documentation, you’ll see that we need to assign the Power User role to our user. To do this we can filter the list of policies and attach the PowerUserAccess policy to the new group.

Review the group name and attached polices, then click create group.

Create a user and an access key for vRA

Select the Users page and then “Create New Users”. You can bulk add users, but for my purposes I need just the one for my vRA instance. I’m creating a user called DefinIT-vRA. Ensure the “Generate an access key for each user” option is ticked.

Once successfully created, the user’s credentials are also available – and before you try and access my AWS account, the user in this post has been deleted 🙂 Be sure to make a note of the credentials – once you finish the create wizard you won’t see the Secret Access Key again. You can also download the credentials as a CSV file if needed.

At this point the user has no permissions, so we need to assign a group and some permissions. Fortunately, we created a group for that purpose just now! Select the newly created user and click “Add User to Groups” under the Groups tab.

Configuring vRA for AWS

Creating an AWS Endpoint in vRA

Firstly, lets set up some credentials based on the user we created earlier. Log into vRA with a user that has Infrastructure Admin permissions, select Infrastructure > Endpoints > Credentials. Click “New” to create a new credential, then enter a Name and Description that suits you. Enter the Access Key ID generated for your user as the User Name, and the Secret Access Key as the password.

Next select Endpoints and click New > Cloud > Amazon EC2

Add a Name, Description and select the Credentials we just created.

vRA will now kick off a data collection against AWS using your credentials. To check on it’s progress you can select Data Collection from the contextual menu.

Create a Fabric Group for AWS

Next, create a new fabric group for the AWS regions. You need to be logged in with a user that has Fabric Administrator rights. Select Infrastructure > Endpoints > Fabric Groups > New and enter a Name, Description and select the Fabric Administrators. I want to make use of the EU regions, so I called mine “AWS Free Tier EU”, and I used my existing AD group “vRA Fabric Admins”. Next select the regions you want to be able to deploy to – bearing in mind you will need a VPC in each to be able to deploy to them.

Create a Reservation for AWS

The General tab is configured as you would any other Reservation in vRA. Create a Name, assign to a Tenant, Business Group and Reservation Policy (optional), and assign a Priority.

On the Resources tab it gets a little more in depth. I have a VPC configured in eu-west-1, so I’m going to create a reservation there – I select the AWS Free Tier-eu-west-1 compute resource. I’m going to set the Machine Quota to 10, for my own peace of mind. Next specify how you’d like to handle the key pairs for the deployed VMs – you can select:

Not specified

Auto-Generated per business group

Auto-Generated per machine

Specific key pair

They’re pretty self explanatory, but I’m going to set it to use my existing key-pair.

<SNIP> There’s a bit more to this post that I’ll update soon, I don’t normally publish half-finish posts, but this one is for Steven Viljoen who needed some help on twitter!

Setting up an #AWS endpoint in #vRA7 shouldn’t be this difficult. Add IAM keys to credentials and boom…Unauthorised! Any hints welcome!

Related

Comments

Hi Sam.
Thanks again for this, but still hitting a wall.
Have only 1 VPC setup (no LB obviously) but otherwise all the same as your post, but still getting the following 2 errors from the DEM-worker.

Failed to run Amazon EC2 data collection. Error: AWS was not able to validate the provided access credentials.

Workflow ‘AmazonEC2EndpointDataCollection’ failed with the following exception:
AWS was not able to validate the provided access credentials
Inner Exception: The remote server returned an error: (401) Unauthorized.

Have checked ntp across environment and all synced and accurate.

Currently going through all the logs I can find to try identify some more details.

Trackbacks

[…] get a bit of a background on my AWS setup for vRealize Automation, take a look at this post – Adding an AWS endpoint to vRealize Automation 7. The VPCs and configuration described in this article are my starting […]